tequilaOS/platform_device_qcom_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
3033 commits 1 branch 0 tags 4.5 MiB
Commit graph

350 commits

Author SHA1 Message Date
Manaf Meethalavalappu Pallikunhi
8d38d15759 sepolicy: add support for limits-cdsp sepolicy context 
Add limits_block_device file contexts for limits partitions
and allow thermal-engine to access this partition.

Add lmh-cdsp sysfs file to sysfs_thermal file context.

Change-Id: I9c18c9d862f5e99ca36cb8c38acd98ac4f152ebf
 2019-09-23 00:06:15 -07:00
Vivek Arugula
11a5a1c2e3 sepolicy : Add policy rules for usta service 
As part of making USTA (Sensor android test application) as
installable, we split the app into 2 parts. One Acts as only UI,
another one acts as service which interacts with sensors native
via JNI. Both the apps are placed in system/app path only.

Change-Id: I58df425bebef96b9d6515179e9581eed03571ad6
 2019-09-13 17:34:22 -07:00
qctecmdr
700457194e Merge "sepolicy: Add permission for QtiMapperExtension version 1.1." 2019-08-09 04:57:41 -07:00
qctecmdr
76f19f2ea6 Merge "sepolicy: Add rules to enhance pkt logging for cnss_diag" 2019-08-09 02:11:29 -07:00
Ashish Kumar
78fbc21a47 sepolicy: Add permission for QtiMapperExtension version 1.1. 
CRs-Fixed: 2505716
Change-Id: I61d02bcccf2069f792f2ee118fcf5dbf9a7b77ee
 2019-08-08 22:25:46 -07:00
Hu Wang
f0b0780006 sepolicy: Add rules to enhance pkt logging for cnss_diag 
Fix sepolicy denies seen when cnss_diag do pkt logging.

CRs-Fixed: 2502031
Change-Id: If0ae5fb9da36483bef686ae86bdd865f8a3e51ec
 2019-08-08 04:48:33 -07:00
kranthi
03232c6a4f Sepolicy : Do not audit untrusted_app_27 to fix avc denials 
Add do not audit rule for unrusted_app_27 to fix AVC
denials for gpubusy and max_gpuclk props

denial:
type=1400 audit(0.0:465): avc: denied { read } for name="max_gpuclk" dev="sysfs"
ino=56328 scontext=u:r:untrusted_app_27:s0:c178,c256,c512,c768 
tcontext=u:object_r:sysfs_kgsl:s0 tclass=file permissive=0 app=com.gameloft.android.ANMP.GloftA9HM

type=1400 audit(0.0:381): avc: denied { read } for name="gpubusy" dev="sysfs" 
ino=56330 scontext=u:r:untrusted_app_27:s0:c168,c256,c512,c768 
tcontext=u:object_r:sysfs_kgsl:s0 tclass=file permissive=0 app=com.tencent.ig

Change-Id: If11c109b5426c598121cff045ad1693d2221d57e
 2019-08-07 11:35:59 +05:30
Jilai Wang
7dab1aa8e1 sepolicy: Allow NN HAL to access npu device node 
This change is to allow NN HAL to access npu device node.

Change-Id: I193a7fb0b571a734804bc31ccf52376e9a13d500
 2019-08-06 16:55:43 -04:00
Jaihind Yadav
4676536dd1 sepolicy: rule to set kptrstrict value 
Change-Id: I05764146d61ff2ff934888280523fa0559dd083c
 2019-07-31 23:22:36 -07:00
qctecmdr
662e886cb2 Merge "sepolicy: Rename vendor defined property" 2019-07-30 12:53:17 -07:00
Jun-Hyung Kwon
2475d56cc7 Revert "sepolicy : Add property access rules for sensors init script" 
This reverts commit 50dbc4287a.

Change-Id: Ia35ac0fc17cf2fc6cde6cc08465cf1d586a28f5d
 2019-07-29 17:59:28 -07:00
Pavan Kumar M
50ef9c7f89 sepolicy: Rename vendor defined property 
All vendor defined properties should begin with
vendor keyword.

Change-Id: I0235d2b37ead9f015fe27075906dbf33b218173f
 2019-07-29 00:22:17 -07:00
qctecmdr
bb7f2ca878 Merge "Sepolicy: Add policy rules for untrusted_app context" 2019-07-28 21:21:10 -07:00
Rahul Janga
0eb606ffab Sepolicy: Add Do not audit for vendor_gles_data_file 
Addressing the following denials:

audit(0.0:118774): avc: denied { read } for name="esx_config.txt"
dev="dm-4" ino=7451 scontext=u:r:system_app:s0
tcontext=u:object_r:vendor_gles_data_file:s0 tclass=file permissive=1

avc: denied { open } for path="/data/vendor/gpu/esx_config.txt"
dev="dm-4" ino=7451 scontext=u:r:system_app:s0
tcontext=u:object_r:vendor_gles_data_file:s0 tclass=file permissive=1

avc: denied { getattr } for path="/data/vendor/gpu/esx_config.txt"
dev="dm-4" ino=7451 scontext=u:r:system_app:s0
tcontext=u:object_r:vendor_gles_data_file:s0 tclass=file permissive=1

Change-Id: I1d9a8c64a2206e3faa9f367f731f3f542ce7fd4b
 2019-07-25 11:06:50 +05:30
Rahul Janga
9610a7ef1f Sepolicy: Add policy rules for untrusted_app context 
Add gpu related policy rules for untrusted_app

Addressing the following denial:

type=1400 audit(0.0:593): avc: denied { search } for name="gpu" dev="dm-0"
ino=405 scontext=u:r:untrusted_app:s0:c144,c256,c512,c768
tcontext=u:object_r:vendor_gles_data_file:s0 tclass=dir permissive=0
app=com.android.chrome

Change-Id: Iabbc7bea6f00a055f7f0ea3d2b926225737b99d5
 2019-07-24 09:54:45 -07:00
qctecmdr
6e692787b6 Merge "Sepolicy: White list adreno_app_profiles lib" 2019-07-24 04:45:42 -07:00
qctecmdr
83bbdc849e Merge "Sepolicy : Do not audit untrusted_app_27 to fix avc denials" 2019-07-23 05:35:59 -07:00
Aditya Nellutla
202f6a1a0f Sepolicy: White list adreno_app_profiles lib 
This change white lists new adreno_app_profiles library
to avoid sepolicy denials.

Change-Id: Ied35b574aff554a8d26e2cee4fa0530098a48080
 2019-07-23 17:40:35 +05:30
Aditya Nellutla
fcbbf0696e Sepolicy : Do not audit untrusted_app_27 to fix avc denials 
Add do not audit rule for unrusted_app_27 to fix AVC
denials for gpubusy and max_gpuclk props

Change-Id: Idc541a0effc6812c12c1ff5024dfd0b6d4171180
 2019-07-23 16:45:49 +05:30
qctecmdr
280fff6e47 Merge "Sepolicy : Do not audit mediaswcodec access to vendor_gles_data_file" 2019-07-23 02:48:00 -07:00
qctecmdr
78d4d2046a Merge "sepolicy permission required for Socket in port_bridge module." 2019-07-22 05:35:32 -07:00
Chinmay Agarwal
9c95b19d57 sepolicy permission required for Socket in port_bridge module. 
Given SE Policy permissions for port-bridge module to create a UNIX
socket and enable communication with clients in different modules.

Change-Id: I1d3a4fdc30847cd8ee7f7715d3249c1957a0776d
 2019-07-22 14:21:49 +05:30
Rahul Janga
026b564bc3 Sepolicy : Do not audit mediaswcodec access to vendor_gles_data_file 
Addressing the following denial:

type=1400 audit(0.0:10197): avc: denied { search } for name="gpu"
dev="dm-4" ino=405 scontext=u:r:mediaswcodec:s0
tcontext=u:object_r:vendor_gles_data_file:s0 tclass=dir permissive=0

Change-Id: I02c0e40e376dc9d856e1541ba85ede5db379d49a
 2019-07-19 13:50:09 +05:30
qctecmdr
c39df4864d Merge "sepolicy: Add write permission to proc file system" 2019-07-18 23:55:40 -07:00
Ankita Bajaj
bd1c72c440 sepolicy: Add write permission to proc file system 
Provide Wi-Fi HAL read and write access to proc file system.
Wi-Fi Hal needs access to proc file system in order to configure
kernel tcp parameters for achieving higher peak throughputs.

CRs-Fixed: 2491783
Change-Id: I36613f74aaa4adfc33e68442befcdb78af5edd5c
 2019-07-17 14:06:46 +05:30
Ramkumar Radhakrishnan
718f54d0f1 te: Add access permissions for feature_enabler_client 
Add read/write and get attribute permission for feature_enabler_client
to access files from /mnt/vendor/persist/feature_enabler_client folder

Change-Id: I9a690acd2a55358dfa5ba5a0411b1dad59e5e7f0
 2019-07-16 16:31:19 -07:00
Jilai Wang
8a996616fd sepolicy: Allow appdomain to access NPU device driver node 
This change is to allow appdomain to access NPU device driver
node.

Change-Id: I5c3270afd105c236a8226d94ac7aa028e4ce1047
 2019-07-12 11:23:42 -04:00
qctecmdr
790484ce21 Merge "sepolicy: Add policy rules for untrusted_app27" 2019-07-05 01:52:26 -07:00
qctecmdr
27f397e091 Merge "sepolicy: add sepolicy for new added prop" 2019-07-04 16:57:00 -07:00
qctecmdr
eefd2e03be Merge "sepolicy: Allow all processes to access non-secure DSP device node" 2019-07-03 21:50:38 -07:00
qctecmdr
2f8e6c76ac Merge "sepolicy: Update thermal-engine sepolicy rules for generic vendor file" 2019-07-03 21:45:04 -07:00
qctecmdr
04ad6d3f83 Merge "sepolicy: add permissions to qoslat device on kona" 2019-07-03 21:44:05 -07:00
shoudil
fe25195b29 sepolicy: add sepolicy for new added prop 
Add sepolicy for new property ro.vendor.qti.va_odm.support,
and allow the prop settable for vendor_init.

Change-Id: Ie8b5fa13630c3dc332473088676a59404765745e
CRs-Fixed: 2483344
 2019-07-03 17:28:37 +08:00
Tharun Kumar Merugu
818b8a81de sepolicy: Allow all processes to access non-secure DSP device node 
Allow all processes to offload to CDSP using the non-secure device
node.

Change-Id: I17036280ab5ee35e802f6a5c0e5f95933a427f8f
 2019-07-03 04:21:20 +05:30
Sandeep Neerudu
39b6ea1f19 sepolicy-sensors:allow access to vendor_data_file for On Device Logging 
Change-Id: I85a31c39c82df7a33e632267a90ebfc38982b5d4
 2019-07-02 02:43:20 -07:00
Manaf Meethalavalappu Pallikunhi
00a7aae2a8 sepolicy: Update thermal-engine sepolicy rules for generic vendor file 
Update generic thermal-engine sepolicy rule by adding access of
thermal socket, QMI socket, dsprpc access, uio access etc. and
cleanup unwanted sepolicy access.

Change-Id: I83ba6cbe291d594b8b2d8720046851b3fb550aac
 2019-07-02 14:41:58 +05:30
Rahul Janga
828e434087 sepolicy: Add policy rules for untrusted_app27 
Updated new policy rules for untrusted_app_context.
This change allows apps to access our debug locations.

Change-Id: I9a647ff6e303764a3280aed846e5cb9a4b80ef79
 2019-07-01 19:33:06 +05:30
qctecmdr
f48e75edbe Merge "kona: Add rules for kernel 4.19 support for init domain" 2019-06-28 14:25:41 -07:00
qctecmdr
326d19f2fe Merge "sepolicy: Allow binder call action for location from system_server" 2019-06-28 02:06:59 -07:00
David Ng
e9adb2964f kona: Add rules for kernel 4.19 support for init domain 
This is a set of vendor changes necessary for interworking
with kernel verison 4.19 properly.

With kernel 4.19, additional filesystem getattr operations
are performed by init for the firmware mount points.

In addition on bootup after adb remount with Android's
Dynamic Partition feature, init needs access to underlying
block devices for overlayfs mounting.  At that stage of
init, while SELinux is initialized (thus the need to add
these rules), the underlying block device nodes in tmpfs
have not yet be labeled.

Change-Id: Iaf15fda401da7b4a34e281e010e16303966bb2c0
 2019-06-27 18:23:45 -07:00
Amir Vajid
6143b71b4f sepolicy: add permissions to qoslat device on kona 
Add permissions to access qoslat device on kona.

Change-Id: I944372c6218dd98b6b7996215d06251f571c34e5
 2019-06-26 19:09:34 -07:00
qctecmdr
e31c7c321e Merge "Sepolicy : Enable smcinvoke_device for Widevine" 2019-06-26 14:10:19 -07:00
Smita Ghosh
9cb4501ac6 Sepolicy: Set genfs context for modem restart_level 
ssr_setup needs permission to write related to restart_level

Change-Id: Ie917cf6d942b7636385a135870651baf7aae62a3
 2019-06-26 09:30:24 -07:00
Harikrishnan Hariharan
1eedfff43e sepolicy: Allow binder call action for location from system_server 
Change-Id: Iff0baf6966b545fa9bdc5d03e0221ee05d144326
CRs-Fixed: 2479129
 2019-06-26 01:46:55 -07:00
Phalguni
0968dd3f1c Sepolicy : Enable smcinvoke_device for Widevine 
Change-Id: Ie3439958b0cb3f6b1b56870c3b3bad49e70e8b4d
 2019-06-25 17:03:06 -07:00
qctecmdr
1ec1fa4cd5 Merge "Add file contexts for new partitions on Kona" 2019-06-25 09:27:05 -07:00
Vinayak Soni
f80ff8d11c Add file contexts for new partitions on Kona 
Add file contexts for multiimgqti, featenabler
and core_nhlos partitions to enable A/B OTA update
on these partitions.

Change-Id: I532be0343de4068fd40b00b675d2765c5e5ab4f0
 2019-06-24 13:58:54 -07:00
Ravi Kumar Siddojigari
5dc863443d sepolicy : adding misc bootup denails 
Following are added
 1.ueventd and vold need search/read access to  /mnt/vendor/persist
 2. system_server need access  to /sys/class/rtc/rtc0 path.

Change-Id: I4d5f322019f1e75aab1be2168eb3805f4f3998c6
 2019-06-24 18:44:04 +05:30
Smita Ghosh
6230a463f5 KONA: Add support for update_engine 
Change-Id: I514d6ece3186bc27a07b38ba76f5154e092428f9
 2019-06-19 17:56:33 -07:00
qctecmdr
f668967b3c Merge "Sepolicy: Add power off alarm app rules" 2019-06-18 14:05:22 -07:00